Patch management is like painting or gardening: At first glance, it may seem like routine and straightforward work. But in practice, it can prove much more challenging than it looks. Just as lack of prep work can spell disaster for a paint job, or forgetting to water and weed regularly can turn your garden into an eyesore, software patching mistakes may severely hamper your ability to carry out what should be the simple task of keeping apps up-to-date.
Keep reading for a look at the most common patch management oversights I’ve encountered in my career as an IT director, along with tips on how organizations can avoid them.
Not having a patching strategy
Probably the most common software patching mistake is lacking a coherent patching strategy.
Lack of strategy doesn’t mean that patching doesn’t happen at all. It means that patching occurs in an ad hoc fashion, without clear guidelines in place about when, how and how often an organization will apply patches.
To avoid this mistake, develop a clear set of patching controls and policies that define how your team will approach patching. Your strategy should reflect your capabilities and limitations; for example, smaller IT departments may not be able to apply every patch as quickly as it appears, so their strategies should identify which types of apps or patches they will prioritize.
Even if your patching strategy doesn’t include all of the practices that it would if you had unlimited resources, simply developing a plan that all stakeholders – IT leaders, practitioners and business executives – can support and lays the foundation for effective patching.
Not leveraging patch automation
There are many ways to automate software patching. You could use simple Remote Monitoring and Management (RMM) software to deploy patches to remote systems. You could rely on patching services built into the OS, like Windows Server Update Services, if they are available and cover the software you need to manage. Or you could adopt a tool purpose-built for patching, which is usually the best way to achieve the broadest coverage and the highest degree of automation.
But whichever type of patch automation tool you choose, your goal should be to ensure that you have at least some automations in place. Modern patch automation software is so reliable, and so inexpensive, that there’s simply no excuse for a primarily manual patching routine.
Being too afraid of bad patches
There is always a risk that a patch could cause more problems than it solves. It’s important to balance that risk by testing patches beforehand to the extent possible, as well as being strategic about when you apply patches. You may not want to patch a mission-critical system in the middle of a workday, for example.
That said, it’s equally critical to avoid a patching posture where you are so worried about the risks of a buggy patch that you fail to apply patches within a reasonable timeframe. If you leave major problems unpatched for too long, you may suffer severe security or performance issues.
On this front, it’s important to take context into account by assessing how important a given patch is. Performing more thorough testing on a patch that addresses a lower-priority bug may be feasible, whereas a patch for a severe zero-day security vulnerability is typically one that you’d want to install as quickly as possible, even if it means performing minimal patch testing beforehand.
Relying on users to install patches
A common patching mistake that I’ve seen among smaller organizations is effectively to outsource responsibility for patch management to end-users. For example, IT departments that lack the personnel to manage patches proactively may tell employees that it’s their responsibility to ensure they install patches whenever an app prompts them to do so.
The risks of this practice are obvious enough: Many users won’t actually install patches routinely, either because they don’t know how or they worry that patches will disrupt their workflows.
On top of that, there is the problem that installing patches often requires users to have admin rights – so if you push responsibility for patching onto your users, you need to grant them admin access to their machines. That in itself is a major risk because giving users admin permissions increases the risk that attackers who compromise their accounts will take full control of their systems.
A better approach is to automate patching using tools that can deploy patches on employees’ computers for them, without requiring the employees to have admin rights. That way, you can patch at scale even if you have limited IT resources, and you don’t have to accept the risk of users with admin accounts.
Lack of patch monitoring and auditing
Successful installation of a patch doesn’t mean that IT personnel can move on and never think about the patch again. On the contrary, it’s critical to monitor and audit systems after installing patches so that you can detect any performance or security quirks that might emerge due to a patch.
Even if you carefully tested the patch beforehand, there is always the risk that the patch might have unintended consequences. Patch monitoring and auditing allows teams to get ahead of those issues before they send users flocking to the help desk or disrupt business operations.
Ignoring patches from certain vendors
Some software vendors have extensive resources and release patches on a routine basis. Others are much smaller and may only produce patches irregularly.
For IT departments, it can be tempting to ignore the latter type of patches. After all, if your vendor doesn’t push out patches frequently, installing them may not seem very important.
The reality, though, is that it’s often extra important to install patches from vendors with limited resources because their patches tend to be especially critical. When a smaller company with a spotty history of patch releases introduces a new patch, you ought to pay attention and prioritize the patch.
You may also want to step back and evaluate whether to keep working with a vendor that doesn’t release patches often or regularly. But in the short term, make sure to close any vulnerabilities when new patches appear, no matter who the vendor is.
Conclusion: Patching as the foundation for modern security
The consequences of failing to patch effectively can be severe. Not only does ineffective patch management leave apps at risk of security and performance bugs, but it may also mean that your company won’t be covered by cybersecurity insurance in the event of an attack.
Avoid that risk by developing a patching strategy that allows you to patch efficiently and scalably by taking advantage of automation wherever possible to apply all available patches to all relevant endpoints within a timeframe that reflects the criticality of each patch.